#1 Global Leader in Data Resilience
#1 Global Leader in Data Resilience
TRY NOW
book meeting
BACK TO KB LIST

Azure Storage Account Key Security Advisory

KB ID: 4449
Product: Veeam Backup & Replication | 12
Veeam Backup for Microsoft 365 | 7.0
Veeam Agent for Microsoft Windows | 6.0
Veeam Agent for Linux | 6.0
Veeam Backup for Microsoft Azure | 5.0
Veeam Agent for Mac | 2.0
Published: 2023-05-12
Last Modified: 2023-05-31
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article highlights a flaw in the design of Microsoft Azure roles that could lead to breaches between control and data planes. If a control plane user's account is compromised, it can be used to access and alter files stored in the storage accounts accessible to them.

Cause

The ListKeys permission allows "control plane" users, who are not supposed to be able to modify data, to list access keys. These access keys can then be used to read and write data to the storage accounts. An example of a role with the ListKeys permissions is Storage Account Contributor.



Example Diagram:
Shared Keys
  • User1 belongs to Resource Group A and can list all keys within that Resource Group.
    • Storage Account A
    • Storage Account B
  • User2 belongs to Storage Account A and can only list the key for that Storage Account.
    • Storage Account A.
  • User3 belongs to Resource Group A and Resource Group B. and can list all keys within both groups. 
    • Storage Account A
    • Storage Account B
    • Storage Account C
    • Storage Account D
  • User4 is a top-level account and can list Keys within all Resource Groups.
    • Storage Account A
    • Storage Account B
    • Storage Account C
    • Storage Account D
    • Storage Account E
    • Storage Account F

Solution

We strongly encourage customers to review:

 

Veeam's Additional Recommendations:

  • Limit the number of users that have access to your storage accounts.
  • Storage accounts used to store sensitive data should be placed in separate resource groups.

More Information

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Veeam Backup & Replication
Veeam Data Cloud for Microsoft 365
Veeam Data Cloud for Microsoft Entra ID
Veeam Data Cloud for Salesforce
Veeam Data Cloud for Microsoft Azure
Veeam Data Cloud Vault
Veeam Backup for Microsoft 365
Veeam Backup for Microsoft Entra ID
Veeam Backup for Salesforce
Veeam ONE
Veeam Service Provider Console
Veeam Agent for Microsoft Windows
Veeam Agent for Linux
Veeam Backup for Nutanix AHV
Veeam Backup for AWS
Veeam Backup for Microsoft Azure
Veeam Backup for Google Cloud
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
Veeam Management Pack for Microsoft System Center
Veeam Recovery Orchestrator
Veeam Agent for Mac
Veeam Agent for IBM AIX
Veeam Agent for Oracle Solaris
Veeam Cloud Connect
Veeam Kasten for Kubernetes
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.